PowerShell to Add a Workstation to a User’s Log On To Property

Use PowerShell to manage an Active Directory user's allowed workstations

It’s easy enough to use ADUC or ADAC to change the list of computers that a user account is authorized to logon to, but sometimes (like, whenever possible!) you need to use PowerShell. Let’s start by seeing what workstations the user is allowed to logon to now…

PS C:\> Get-ADUser jay.test -Properties LogonWorkstations | Format-List Name, LogonWorkstations

Name : Jay Test
LogonWorkstations : testpc

This tells us that the user, Jay Test, is only allowed to authenticate from the computer named “testpc”. The LogonWorkstations field is a little funny in that it appears to be an array when you look at it in a GUI tool like Active Directory Users and Computers, but it’s actually just a text string with the names of individual computers separated by a comma.

Changing the value from one computer name to another is simple enough:

PS C:\> Set-ADUser jay.test -LogonWorkstations "newpc"

The LogonWorkstations property for jay.test now contains only the computer named “newpc”, and this account can no longer logon to “testpc”. (Note: the LogonWorstations property is not case sensitive. “NEWPC” is the same as “newpc”.)

However, if you want to add a workstation instead of replacing one, you might do it this way…

  1. Save the current value of the LogonWorkstations property to a string variable.
    PS C:\> $Workstations = (Get-ADUser jay.test `
    -Properties LogonWorkstations).LogonWorkstations
  2. Add the new workstation to the string and don’t forget the comma.
    PS C:\> $Workstations += ",newpc"
  3. Save the value back to the LogonWorkstations property.
    PS C:\> Set-ADUser jay.test -LogonWorkstations $Workstations

Now, when you get the new value from AD, you’ll see the new computer:

PS C:\> Get-ADUser jay.test -Properties LogonWorkstations | `
Format-List Name, LogonWorkstations

Name : Jay Test
LogonWorkstations : newpc,oldpc

If you check in ADUC, you’ll see it like this:

LogonWorkstations property shown as Log On To in ADUC

It’s a bit more complicated if you want to remove a computer from the list, but here’s one way to do it:

  1. Save the list of computers in an array. This cmdlet will split the comma-delimited value of LogonWorkstations into an array.
    PS C:\> $Workstations = (Get-ADUser jay.test -Properties `
    LogonWorkstations).LogonWorkstations.split(',')
    PS C:\> $Workstations
    comp1
    comp2
    comp3
    comp4
  2. Remove the computer from the resulting array.
    PS C:\> $Workstations = $Workstations | Where-Object {$_ -ne "comp3"}
    PS C:\> $Workstations
    comp1
    comp2
    comp4
  3. Convert the new list, without computer “comp3”, to a string of comma-separated values.
    PS C:\> $Workstations = $Workstations -join ","
    PS C:\> $Workstations
    comp1,comp2,comp4
  4. Save the new workstations list back to the user object.
    PS C:\> Set-ADUser jay.test -LogonWorkstations $Workstations

Now, when you retrieve the list of allowable workstations for the user, you’ll see the list without the computer you removed:

PS C:\> Get-ADUser jay.test -Properties LogonWorkstations | `
Format-List Name, LogonWorkstations

Name : Jay Test
LogonWorkstations : comp1,comp2,comp4

Finally, if you want to remove all workstation restrictions on a user account, this is probably the easiest of all of these tasks to do:

PS C:\> Set-ADUser jay.test -LogonWorkstations $Null

17 responses to “PowerShell to Add a Workstation to a User’s Log On To Property”

  1. Anton says:

    Hi, sorry my English bad)
    Q: How i can do this for all user in my Domain
    Users have list workstations and i must add new server in list
    Each user have own machine name in list this is problem

  2. jay c says:

    Hi Anton! Good question.

    I didn’t test this, but I’m pretty sure it will work. You should test it with a small subset of users or in a test environment first.

    In this code, “newpc” is the name of the computer you want to add to the list.

    $Users = (Get-ADUser -filter * -Properties LogonWorkstations)
    foreach ($User in $Users) {
    $Workstations = $_.LogonWorkstations
    $Workstations += “,newpc”
    Set-ADUser $User.SamAccountName -LogonWorkstations $Workstations
    }

    • Ayodeji says:

      Dear Jay C,

      Please how do I do this for a selected number of users? I need the format for the csv to use and the powershell.

      I just want to add a computer

  3. Tayfun Ozkan says:

    Alternate
    $Users = (Get-ADUser -Filter * -Properties LogonWorkstations -SearchBase “OU=XX,DC=contoso,DC=com”)
    ForEach($User in $Users)
    {
    $user.LogonWorkstations += “,test1,test2,test3”
    Set-ADUser -instance $user
    }
    🙂

  4. Joshua says:

    I have a single user account pltw-adm and .csv file with a list of computers(no column header). How would I modify this to add the list of computers to the single user?

  5. jay c says:

    Hi Joshua.

    You can use Get-Content to put the list of computers into a text variable like this:

    Get-Content C:\Temp\ComputerList.txt | %{$Workstations += “$_,”}

    That would leave a trailing comma at the end. I haven’t tried it, so I don’t know how AD would handle that.

    • mahi says:

      Hi JAY C,

      I want to map different systems with different users like below: Please suggest how to fulfill using powershell script.How to import csv/txt file for users against specific computer names.

      User Hostname
      A U
      B Y
      C X
      D Z
      E V

  6. Radz says:

    Hi Jay. This is very useful. Thanks a lot for sharing.

  7. Chris says:

    I am looking to deploy something like this that reads objects(workstations) where the managed by field is set to user “xyz123” and then update their ability to logon to that computer.

    Ideally we would like to run this against an entire OU on a regular basis.

    Any help would be appreciated.

  8. Mahi says:

    Hi JAY C,

    I want to map different systems with different users like below: Please suggest how to fulfill using powershell script.

    User Hostname
    A U
    B Y
    C X
    D Z
    E V

    • jay c says:

      Hi Mahi. You can put the list in a csv file and import that to a hashtable using import-csv. Then you can process each line with a foreach statement.

  9. Luis Eduardo Reyes Gaspar says:

    If a user needs to connect to a server to work on it using RDP protocol… User will be able to connect? or What happend?

    Could anyone support me, please?

    • jay c says:

      Hi Luis. You’ll need to add both the local and remote computers to the user’s LogonWorkstations property.

      Don’t forget to make sure the user is in the Remote Desktop Users group on the remote computer too.

  10. Maya says:

    Dear all,

    How can I write powershell script to import 1000 users restricted to login to only their computer. I do have csv files as follow

    SamAccountName,Computername
    abc,PC1
    xyz,PC2

  11. Maya says:

    sorry I am explaining more detail about my requirement.

    abc should login to PC1 only. and xyz should login to PC2. abc should deny to login all PCs except PC1

    please help…..

  12. Jamie says:

    Great post. I have a follow-up. I’ve just started working more with PowerShell. What I’d like to do is import a very long list of machines that people are allowed to log into. If I make a file with all the machine names I want to allow, would the machine names be separated by a comma in the file or can I put each machine name on a separate line in the file?

    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *